chdkfandomcom-20200222-history
5D Mark II
Firmware progress * The Magic Lantern firmware provides many CHDK like functions for the camera. * 1.0.7 Firmware updater has been decrypted with dissect_fw3.2 forum discussion * 1.1.0 Firmware has been dumped and custom init task is running * ROM has been dumped: forum discussion * Many DryOS functions have been mapped * FAT16 bootable SD card does not seem to work -- perhaps volume must be EOS_DEVELOP? (0xffff50d0 compares against it and BOOTDISK) * Trampoline / shim code has been run through the firmware update routine to allow user task creation. TaskSleep() has not been found, so the user tasks consume all of the CPU. * User firmware runs! It doesn't do much yet, but it is a start. * DryOS structures has details on internals * Onscreen audio meters are working * Zebra stripes are also working CPU info * CPU ID 0x41059461: "A", variant 0, arch 5, part 946 rev 1 * Cache type 0x0f112112: unified cache, isize/dsize 32 byte cache lines, 4 way associative, 8 KB total * Cache setup 0x0005107d: ** MMU enabled ** Alignment fault disables ** Cache enabled ** Big-endian operation ** System protection = 0 ** ROM protection = 0 ** I-cache enabled ** Exception vectors at 0x00000000 ** Random cache replacement ** L4 bit unset Memory maps * 0xFF80_0000 - 0xFFFF_FFFF: RAM ROM image of DryOS and code (copied from ROM0 at boot) * 0xF800_0000 - 0xF880_0000: ROM0 image of DryOS (alias of 0xFF80_0000?) * 0xF000_0000 - 0xF080_0000: ROM1 image (strings, bitmaps and other stuff?) * 0x4000_0000: 32 KB Tightly-coupled memory region? * 0x0080_0000: Flasher code load address * 0x0000_0000: Reset vectors * 0x0000_0480: Reset routine? Copied from 0xFF812B30 to 0x480 at startup * 0x0027_F000: Interrupt handler stack * 0x0002_0740: Interrupt handler context buffer * 0x0000_0664: Some sort pointer to a kernel structure * 0xC000_0000: Memory mapped device? * 0x0000_1900, 0x1928: Last panic code? * 0x0000_2DC8: A kernel structure copied from the stack Control registers c1,c0,0: 0005107d // control register c2,c0,0: 00000070 // data cache bits c2,c0,1: 00000070 // inst cache bits c3,c0,0: 00000070 // data buffer bits c3,c0,1: 00000000 // inst buffer bits c5,c0,2: 03333333 // extended data access bits c5,c0,3: 03333333 // extended inst access bits c6,c0,0: 0000003f // region 0 c6,c1,0: 0000003d // region 1 c6,c2,0: e0000039 // region 2 c6,c3,0: c0000039 // region 3 c6,c4,0: ff80002d // region 4 c6,c5,0: 00000039 // region 5 c6,c6,0: f780002d // region 6 c6,c7,0: 00000000 // region 7 When the flasher program is running, the c6 register map (read via mcr p15, 0, r0, c6, cM and interpreted based on ARM946 protection region registers). Data/Instr permissions (mcr p15, 0, r0, c5, c0, 2 and mcr p15, 0, r0, c5, c0, 3) both eq 0x03333333, which is user and system read/write to all regions. * Startup at 0xFF81_0000, jumps to 0xFF81_000C * Data segment or config? 0x1900 - 0x20740 * BSS? 0x20740 - 0x47750 Events and properties See DryOS structures for more details. Available firmware dumps & updates *EOS 5D Mark II fw 1.1.0 -- http://web.canon.jp/imaging/eosd/firm-e/eos5dmk2/firmware.html Firmware version 1.1.0 adds full manual control to video shooting and fixes a few bugs fileLen = 0x92224c ---.fir header--- 0x000: modelId = 0x80000218, (5D Mark II, DryOS) 0x010: version = 1.1.0 0x020: checksum = 0xb7384f65 0x024: updater1 header = 0xb0 0x028: updater1 offset = 0x120 0x02c: updater2 offset = 0xffffffff 0x030: firmware offset = 0x1a0cd0 0x034: 0xffffffff 0x038: embedded file size = 0x92224c 0x03c: 0x0 0x040: sha1 seed = 0x9d6fd907 0x044: 0x00000004 0x00000000 0x00000020 0x00000024 0x00000044 0x000000b0 0x001a0c20 0x060: 0x1a0cd0 0x064: firmware length = 0x78157c 0x068: updater1 hmac-sha1 = 628b5312662b43592dd23ade1e93e0cf922d8aea 0x088: firmware hmac-sha1 = 63447a6a31673aff18d2ef0fe76afead2635ce6d ---updater1 header--- 0x0b0: updater1 length = 0x1a0bb0. starts at 0x120 0x0b4: 0x1a0ba4 0x0b8: 0x0 0x0bc: xor seed value = 0x348e2ce8 0x120: --- updater1 (ciphered) --- ---firmware header--- 0x1a0cd0: (+0x000), offset to decryption data = 0xc 0x1a0cd4: (+0x004), offset to encrypted data = 0x7c. starts at 0x1a0cd0 0x1a0cd8: (+0x008), total firmware length (including header) = 0x78157c. starts at 0x1a0cd0 0x1a0cdc: (+0x00c), firmware length (encrypted part) = 0x781500. starts at 0x1a0d4c ---firmware (encrypted)--- 0x1a0d4c: (+0x07c) Magic Lantern support Magic Lantern is now widely accepted as the replacement for CHDK on the 5D mark II. * Magic Lantern Firmware Category:Cameras Category:DSLR